Wednesday, 23 March 2016

Features in Using OWASP Zed Attack Proxy (ZAP)

Background

In this post I will show you some of the features of ZAP proxy that I have explored so far.

Spider And Active Scan

Whenever you decide to attack an URL that you see in ZAP's home page ZAP will crawl the page, find out other relevant links that the base URL may refer to in response. It also figures out GET/POST requests applicable. This is basically spider attack.

For demo purposes I am going to attack following URL -

http://ch01.mybluemix.net/ch01/

It' a simple problem where you have to exploit few vulnerabilities to guess the password :)

Next ZAP will scan all the relevant applicable URL with test request params. It shows various attributes like response code, response bytes etc. You can also see the raw request/response with right click the request entry in Active scan. You can also see list of applicable URLs in the left panel.

NOTE : One good trick to inspect irregular behavior is to inspect the size of response and inspect further the ones you see fishy.

Resend Request

Another useful feature is "Resend" . Just right click the request on left panel and select resend. You can then edit the request as per your wish (edit request params, headers add cookies etc) and send.

Encode/Decode/Hash

This is a very handy feature that I loved in ZAP. Input a String and it will give you it's Encoding/Decoding/Hash whatever you need -

ZAP has an in build fuzzer that you can use. Simplyselect the URL you want to fuzz -> Right click -> Attack -> Fuzz

You will need to highlight the area you want to fuzz and select add payload. The highlighted area can be anything - request parameter, cookie value, header etc. Also payload can be anything list of strings, scripts to be injected random values , alphabets etc.

Sample example is screenshot below -

In above example I have highlighted "ZAP" which is the password. So I am going to fuzz various values of passwords. Next click Add to add payloads. You can define your own sets of string as well. I am using inbuilt file fuzzer that provided pre defined sets of strings. Finally click "Start Fuzzer" to start fuzzing.

NOTE : Again as I mentioned before it is always advantageous to sort response size to check unusual response to exploit :)